# Phishing
## Homoglyphs
{% embed url="" %}
Homoglyphs are Unicode characters that look visually similar to an ASCII character, but are different. You can use these to make your phishing attacks more convincing.
Note: Gmail shows a warning when this is used, but not all email providers do.
Also, you can register a domain with a homoglyph and direct users there.
## Fake Window
{% embed url="" %}
Using Javascript, you can make a fake window that looks exactly like Facebook and that asks you for the login (for OAuth logins).
## Reverse Tabnabbing
{% embed url="" %}
If a website has a link like this:
```
```
\
Or like this:
```
```
Then it’s vulnerable to reverse tabnabbing (tested 23 May 2019 on Firefox and Chrome).
*Note: `target="_blank"` is used to get the link to open in a new tab.*
When you have `target=`"`_blank"`, then you should also really have `rel=`"`noopener noreferrer"` next to it. Otherwise, `bad.example.com` will have the `window.opener` object available to it.\
\
If the website `bad.example.com` runs this Javascript:
```
window.opener.location = "https://phish.example.com";
```
Then the **original tab** will be redirected to a phishing site.
Example: Facebook lets you link to your site using `target="_blank"`. On your site, you run the above Javascript and the original Facebook tab will be redirected to . Assuming you control that domain, you can have it be a phishing site that asks the user to re-enter their password, or something similar.
## Spear Phishing
{% embed url="" %}
Targeted attacks:
{% embed url="" %}
## Email Spoofing
One way to do this is via open relay servers, but those might get blacklisted and there’s a better alternative:
Buy a domain (or use a free one that allows emails to be sent, like 000webhostapp) and create a PHP script that allows you to send emails with custom SMTP headers.
This works after changing the form action in index.php:
{% embed url="" %}
*Note: the script doesn't accept unicode.*
Hosted at